Security

Mike Perham edited this page Nov 28, 2017 · 15 revisions

There are two aspects of security to consider.

Encryption via TLS

If your use case requires TLS, we recommend putting stunnel or spiped "in front of" Faktory. For instance, here's how to build a Docker container with a stunnel frontend: https://dzone.com/articles/using-honcho-to-create-a-multi-process-docker-cont.

You can configure the Go and Ruby clients to use TLS by including tls in the URL scheme:

tcp+tls://myhost.example.com:7419

Authentication

Faktory uses a global password to verify client connections. When connecting, the server immediately sends a HI challenge with a nonce. All clients must send a HELLO command to Faktory with a pwdhash attribute based on that nonce.

The password is passed to the Faktory clients in the URL: tcp://:mypassword@some-hostname.example.com:7419

Password Configuration

Faktory looks for a password in the FAKTORY_PASSWORD environment variable or in /etc/faktory/password.

Random Password

Here's a one-liner to create a random hex password:

$ dd count=1 if=/dev/urandom 2>&1| shasum | tail -1 | cut -c1-32
0bf64d9491ca65b48f9fe07636680b1d

If you're using Docker, you can add the password as a managed secret.

$ echo "0bf64d9491ca65b48f9fe07636680b1d" | docker secret create faktory_password -

and then mount it into your Faktory container:

$ docker service create --name faktory --secret faktory_password contribsys/faktory:latest

Web UI

If Faktory is configured to use a password, the Web UI also enables HTTP Basic Auth with that same password. The username can be any value.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.